CLI signature verification output

[BTBurke]

Hi @gabriel

I want to use keys to sign a SHA256 hash of a binary, but the UX seems off to me. As far as I can tell so far, there is no output when the signature is successfully verified. The only obvious sign that it did something is a 0 exit code.

I started with this:

sha256sum mybinary | keys sign -s btburke@github -m armor,detached > mybinary.sig

Then verified with this:

sha256sum mybinary | keys verify -s btburke@github -x mybinary.sig

That works, because I get "verify failed" if I make a change to the binary.

But, from a user experience perspective I think it would inspire more confidence if a successful verification also had something on stdout, with maybe a -q, --quiet flag to only look at the return code.

[gabriel]

Yeah adding in a --quiet option sounds like a good idea.

[BTBurke]

I think the bigger issue is the lack of any output when you verify something. For example, if I sign a file with minisign, I get a nice console output saying that the signature is valid, time, comment, etc.

$ minisign -V -m test.txt
Signature and comment signature verified
Trusted comment: timestamp:1589922579	file:test.txt

The other nice thing about the minisign UX is that there is an option to hash large files and then sign the hash instead of the whole file.

[gabriel]

Saltpack sign v2 supports streaming in the case of large files, https://saltpack.org/signing-format-v2.

I haven't looked into supporting comments and time and nicer output but those sound like good improvements.